<%@ page language="java"%>
<%@ page import="java.sql.*"%>
<%@ page import="java.util.*"%>
<%@ page import="java.io.*"%>
<html>
<head><title>Read from mySQL Database</title>
</head>
<body>
<center>

<%

	class XSSchecker
	{
		public String sanitize(String string) 
		{
			string.replaceAll("(?i)<script.*?>.*?</script.*?>", "");   	
			string.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); 
			string.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
			return string;
		}
	};

       try
       {
		XSSchecker checker = new XSSchecker();

		if(session.getAttribute("logged_in") == "true")
		{
			out.println("<p><h2>Logged In</p></h2>");
			if(session.getAttribute("user_level") == "administrator")
			{

				if(request.getParameter("username")== null || request.getParameter("name")== null ||  checker.sanitize(request.getParameter("username"))==""  ||  checker.sanitize(request.getParameter("name"))=="")
				{
					out.println("<p><h1>Name or user Name field should not be blank!! </h1></p>");
					out.println("<a href=menu.jsp>Main Menu</a> ");
					//response.setHeader("Refresh", "2; URL=./add_user.jsp");
				}
				else
				{
					String DRIVER = "com.mysql.jdbc.Driver";
					Class.forName(DRIVER);

					Connection con=null;
					ResultSet rst=null;
					PreparedStatement stmt=null;


					String url="jdbc:mysql://ecstiger.cs.andrews.edu/d562_2010_01?user=u562_2010_01&password=YPJ8f4We";
					con=DriverManager.getConnection(url);
					stmt = con.prepareStatement("SELECT username FROM user WHERE username = ? ;");
					stmt.setString(1, checker.sanitize((String)request.getParameter("username")));
                            	rst=stmt.executeQuery();

					if(rst.next())
					{

						out.println("<p><h1>The user Name '" + checker.sanitize(request.getParameter("username")) +"' has been taken, Please choose another one!!<h1></p>");
						out.println("<a href=menu.jsp>Main Menu</a> ");
						//response.setHeader("Refresh", "2; URL=./add_user.jsp");


					}
					//else if (checker.sanitize(request.getParameter("username"))=="" || checker.sanitize(request.getParameter("username"))== null ||  checker.sanitize(request.getParameter("name"))==""  ||  checker.sanitize(request.getParameter("name"))== null)
					//{
						//out.println("<p><h1>Name or user Name field should not be blank!! </h1></p>");
						//response.setHeader("Refresh", "2; URL=./add_user.jsp");  
					//}
					else
					{
						stmt = con.prepareStatement("INSERT INTO `d562_2010_01`.`user`(`id`,`name` ,`username` ,`password` ,`level` )VALUES (NULL,? ,?, '0000', '0');");
						stmt.setString(1, checker.sanitize((String)request.getParameter("name")));
						stmt.setString(2, checker.sanitize((String)request.getParameter("username")));		
						stmt.executeUpdate();
						out.println("<p><h1>User add successfully!! </p></h1>");
						out.println("<a href=menu.jsp>Main Menu</a> ");
      						//response.setHeader("Refresh", "2; URL=./add_user.jsp"); 
					}
					rst.close();
					stmt.close();
					con.close();		
				}
			}
		}
		else
		{
			out.println("Not Logged In");
		}
	}
	catch(Exception e)
	{
		out.println(e);
	}

%> 
</center>
</body>
</table>
</center>
</div>


</body>
</html>